Vulnerability in Fortinet firewalls being exploited

Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates to be notified as soon as we publish an advisory.

3:45pm, 1 December 2020

TLP Rating: Clear

Vulnerability in Fortinet firewalls being exploited

Vulnerability CVE-2018-13379 - published in 2019 - has been exploited to access sensitive information from vulnerable devices running Fortinet’s FortiOS software.

This allows an attacker to steal plain text SSL VPN credentials, which can be used to log in to the SSL VPN. A list of credentials obtained from vulnerable services has been publicly posted. The list includes any local users that were logged in to the VPN at the time of collection.

What's happening

Systems affected

Fortinet devices running SSL VPN with local authentication for users, running the following versions:

  • FortiOS 6.0.0 to 6.0.4
  • FortiOS 5.6.3 to 5.6.7
  • FortiOS 5.4.6 to 5.4.12

What this means

If you have affected devices that have not been patched, or only been patched recently, then it’s likely your SSL VPN credentials have been compromised.

What to look for

How to tell if you're affected

Check your Fortinet device logs for requests to the following URL or similar, which may indicate SSL VPN credentials being compromised. Please note, you will need to remove the spaces following the /.. sections when copying or using the text below. 

/remote/fgt_lang?lang=/.. /.. /.. /.. //////////dev/cmdb/sslvpn_websession

Also check the access logs for the SSL VPN service for any unexpected or unusual connections, which may indicate use of the compromised credentials to access to VPN.

What to do

Prevention

Patch your Fortinet devices. Once patched, change the passwords of any local SSL VPN users.

 

Mitigation

VPN services should be configured to use MFA, which would protect against stolen credentials being used to access the VPN.

More information

Fortinet security advisory can be found on their website External Link

This advisory follows on from our 2019 alert about VPN vulnerabilities:

Virtual private network (VPN) vulnerabilities being exploited

If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.

Report an incident to CERT NZ

For media enquiries, email our media desk at certmedia@cert.govt.nz or call on 021 854 384